The UK’s data protection watchdog claims a crack down on websites that don’t ask for consent from visitors to track and profile their activity for ad targeting is bearing fruit. However it’s admitted some of the changes driven by the intervention have seen sites adopting a controversial type of paywall that demands users pay a fee to access content or else agree to being tracked and profiled for ad targeting (also known as, “pay or consent”).
The ICO hasn’t divulged which sites have shifted to a pay-or-consent model since it started asking questions about their tracking cookies. But it has named and shamed a couple of companies for not playing by other cookie rules.
On Tuesday local time, the Information Commissioner’s Office (ICO) announced it’s issued a reprimand to Bonne Terre, the company behind Sky Betting and Gaming, for unlawfully processing people’s information without their consent.
Research has highlighted the myriad harms that data-driven tracking can pose to vulnerable individuals with addiction problems which may explain why the ICO’s public reprimand has focused on a company in the gambling sector.
“From 10 January to 3 March 2023, Sky Betting and Gaming was processing people’s personal information and sharing it with advertising technology companies as soon as they accessed the SkyBet website — before they had the option to accept or reject advertising cookies,” the ICO wrote in a press release. “This meant their personal information could be used to target them with personalised adverts without their prior consent or knowledge.”
The regulator told TechCrunch it opted for a reprimand in this case, rather than a sanction, as it believes it’s a proportionate use of its powers — “based on what will achieve the best outcome, as well as based on our priorities and limited resources.”
“In this case, we took into account Bonne Terre’s positive engagement with the ICO and the steps taken to improve compliance, and decided that a reprimand is the most proportionate action,” ICO spokesperson James Huyton added.
The reprimand is part of a wider ICO intervention on consentless cookie tracking. The regulator highlighted a review it conducted last year of the UK’s “top 100 websites” which led to it identifying “issues” with how more than half the sites were using advertising cookies. It then wrote to the 53 sites involved, warning they faced enforcement action if they did not amend how they deploy ad cookies to comply with data protection law. The ICO suggests the outreach has helped purge some non-compliant cookie banners.
The regulator declined to confirm the identities of any of the other sites contacted as part of this cookie compliance sweep. But reporting outcomes from its flurry of letter writing, the ICO said 52 of the websites it reached out to have made changes to how they gather consent to tracking. Per the ICO a variety of changes have been observed, including some sites switching to a so-called “pay or consent” model — where visitors are blocked from accessing site content unless they agreed to be tracked or else pay a fee.
Pay or consent is a controversial approach that’s currently under legal and regulatory challenge in the European Union, including by privacy and consumer watchdogs. Meta’s implementation of pay or consent is also suspected of breaking the bloc’s market fairness rules. (The ICO declined to specify if Meta was one of the site owners it contacted vis-a-vis cookie consent.)
In a statement accompanying its reporting of the results of the cookie banner sweep, Stephen Bonner, the ICO’s deputy commissioner, claimed the intervention had led to 99 of the top 100 UK websites “either already offering a meaningful choice over advertising cookies or making changes to gain people’s consent”. Which is quite the either/or.
Bonner’s statement does not provide any metrics to quantify the ICO’s actual impact on consent choices for UK web users. He merely says “some” of the changes observed included the introduction of a reject all button to sites that lacked one before; others entailed sites making their accept all and reject all buttons equally prominent; and other sites have introduced alternatives such as “consent or pay” — a business model whose legality the ICO is “currently reviewing”.
The gold standard for complying with the U.K.’s General Data Protection Regulation, which is based on the EU framework of the same name, would be to present site visitors with a simple yes/no choice to accept or refuse tracking. Sites that fail to do so, such as by — for example — only letting users accept but not refuse tracking or making it really easy to click an accept tracking button but hiding the refuse option multiple menus down in confusingly worded settings — should face enforcement for non-compliance. But all too often they’ve got away with using manipulative dark patterns to steal consent.
The ICO must take its share of the blame, here, having spent years ignoring warnings from privacy campaigners about the adtech industry’s out-of-control data gathering. It also failed to take decisive action on its own concerns about the sector’s data-grabbing practices, as set out in a 2019 report — closing a complaint without issuing a decision back in 2020, for example, as it opted for soft peddling industry engagement instead of vigorous enforcement.
Last year’s cookie sweep looks like the ICO’s bid to be finally seen doing something after many years of letting adtech players off the compliance hook. But its actions may raise questions given the enforcement appears to have fuelled growth in the use of the controversial “pay or consent” tactic. It’s also interesting to consider the sites it’s choosing to name and shame compared to others also not offering a clear yes/no choice to users but whose names we have to infer.
As well as publicly reprimanding Sky Betting, the ICO has elected to name and shame gossip website Tattle Life — which it says was the only one of the 53 websites it contacted that did not engage with the outreach. It said it will now open an investigation into its use of cookies and “apparent failure” to register with the ICO.
But what about websites that have switched to deploying ‘consent or pay’ cookie banners, meaning they don’t offer web users a free choice to deny tracking either?
Tech giant Meta got into this game last year, opting to arm-wring consent to its ad tracking from users of Facebook and Instagram by imposing a pay us or let us track you paywall on its erstwhile free-to-access social networks. Since then, an increasing number of UK news websites have aped the tactic — with ‘pay or consent’ walls popping up all over previously free-to-visit ad-supported journalism.
We asked the ICO for its views on the creep and rise of ‘pay or consent’, including Meta’s adoption of the tactic, and its spokesman pointed back to earlier comments by Bonner, who wrote: “Following engagement with Meta, we are examining how UK data protection law would apply to any potential ad-free subscription service. We will expect Meta to consider any data protection concerns we raise prior to any introduction of a subscription service for its UK users.”
Earlier this year the ICO ran a consultation on pay or consent business models saying it hoped to provide an initial view on the approach but it has yet to adopt a clear public position. And in that regulatory grey area, many a ‘consent or pay(wall)’ is popping up.
“With reference to consent or pay models, we told companies that they were not being transparent with the public and that they needed to offer people meaningful choice about how their data is used and shared on their websites,” its spokesman added. “Some companies introduced alternative methods to obtain consent, such as ‘consent or pay’, which we are now reviewing as a business model following our consultation in early 2024. We’ll set out our position towards the end of the year. In the meantime, we’ll continue to monitor the development of new approaches.”